-
Hey Guest. Check out your NeoGAF Wrapped 2025 results here!
Hackers can unban themselves and ban you from PSN.
- Thread starter Tiduz
- Start date
- Status
VAIL said:
You should definitely stop using your PS3. No one would be able to generate your key if your PS3 is off! Also remove all credit card information because that is not secure. Not just on the PS3 either, take it off all your online accounts. Identity theft is not a joke. Saw it happen on the local news. Also don't step outside because there's this swine flu and bird flu and OMGAAAHHHH
I have a background in computer security. Not all "hackers" are bad but when someone is targetting or even faux targetting innocents then its time to lawyer up.
If someone buys out a botnet for a night and distributes the program on a massive amount of machines you can probably make quick work of the PSIDs if they are not sufficiently spread out. Yeah it sounds far fetched but thats how botnets work. People buy time to do their bidding.
If someone buys out a botnet for a night and distributes the program on a massive amount of machines you can probably make quick work of the PSIDs if they are not sufficiently spread out. Yeah it sounds far fetched but thats how botnets work. People buy time to do their bidding.
wrongOni Jazar said:
Proteus IV
Member
I'm pretty sure Sony can just cross reference console ID's and MAC addresses and not have to worry about a thing, even if "the hackers" found a way to spoof random existing console ID's they'll probably never be able to spoof the correct MAC address for the console to which said ID belongs, thus just giving Sony a reason to ignore the spoofer and allowing the legit console to keep going...
wonderdung
Member
I've been following the "hacker" communities a bit for work related stuff lately. One thing I've noticed is that people really want street cred among their "hacker" buddies, so they whip up fake tools in VB and then make videos claiming that they've done things. As amusing as this is at times, I find it quite sad that their desire for acceptance is that high.
The speculation that console ids could be changed in transit is probably true, but that GUI screenshot obviously falls into the category of someone trying to gain street cred by creating something totally fake (a console database searcher).
The speculation that console ids could be changed in transit is probably true, but that GUI screenshot obviously falls into the category of someone trying to gain street cred by creating something totally fake (a console database searcher).
ColtraineGF
Member
If that screenshot field is true, then it's a 256-bit value.MThanded said:
~1.15 * 10^77 possible values.
Not the sort of thing that's easily brute-forced in any case, considering that (using a sales number of approx. 47 million sold) about (4 * 10^-70)% of those numbers are used by an existing console. You'd also have to know how they make the ID in the first place.
Also, if Sony keeps other data about your console, how's a hacker supposed to figure that out, from a random CID? If only one verified ID matches, and every other piece of data about the system is wrong, then the exercise would be pointless.
Not really. You're grouping together a bunch of people who hacked their console for different purposes. Some to just legitimately expand the use of the hardware they already own, others, yes, for piracy. Others (and few) still for malicious purposes.hamchan said:
Hating an entire group based on the actions of a few is stupid.
Yeah sadly we have no idea what sony has been referencing up until now. I just think even the possibility of this is scary. I am just trying to play mvc3 gawd damn lolDoctorWho said:
The only reason I give this any credibility is i found links to PSID changers that are from 2010. Meaning those were whipped up before banning was even being talked about. Hopefully it is FUD though. Generating that PSID will be a problem as long as sony has been truly randomly distributing them all along.
Lord Error
Insane For Sony
No they can't because that "stream" is not being sent anywhere. It's a whitelist database that sits on servers, so maybe if someone can hack as a root account into PSN servers, they can copy that file and have the list. If someone can do that sort of thing nowadays, their last target would be something as mundane as PSN.VAIL said:
MThanded said:
Yeah, but not when you match it with the console ID. If Sony had done their job correctly, they should know where each console ID normally came from. If it's from somewhere different then it's not real. I'd also look at other things like email being used, the PSN account, etc. The combined variety of these elements will make it harder for hackers to even try.
Neuromancer
Member
Goddamn hacker gangs
ScrabbleBanshee
Member
Does this mean getting banned from gaf will have more dire consequences than usual going forward?
Lostconfused
Member
As hilarious as this news would be if it were true, it is rather quiet unlikely. I would think PSN is more secure than just spoofing an ID would get by it.
Yeah it looks like a fake UI you would see in some awful tv show or movie.wonderdung said:
Proteus IV
Member
MThanded said:
Yeah, spoofing MAC addresses is easy but unless Sony are much dimmer than they look they have a database of each and every consoles markings, MAC addresses, console ID's etc. There's no reason they shouldn't, so spoofing to a random MAC address and a random ID wouldn't do, they'd have to match up to the same console or be ignored. So unless someone walks out of Sony HQ with a database of all the unique markings of every PS3 and hands it to the hackers I feel pretty safe about not getting randomly banned.
Holy shit, people.
Let's assume that this tool is real, even though it probably isn't. Let's also assume that PSN is using no message authentication, which is unlikely. Looking at the console ID format, and assuming all zeroes are padding, which is generous, you're left with a 25 character hexadecimal string.
That's 1,267,650,600,228,229,401,496,703,205,376 unique ids. How many PS3s have been sold?
Critical thinking.
Let's assume that this tool is real, even though it probably isn't. Let's also assume that PSN is using no message authentication, which is unlikely. Looking at the console ID format, and assuming all zeroes are padding, which is generous, you're left with a 25 character hexadecimal string.
That's 1,267,650,600,228,229,401,496,703,205,376 unique ids. How many PS3s have been sold?
Critical thinking.
As long as psid are never sent in the clear and are randomly distributed(sufficiently sparse) it should be fine. Also since not all cfw users are banned yet I would not put it past someone to release a firmware to farm legit PSN ids from custom firmware users.Alts said:
Lostconfused said:
I'm thinking spoofing console ID's is all thats really needed, getting a valid console ID is the problem. Since the validation is done server side its going to be impossible to crack the algorithm unless there's a leak. We already know that hackers can spoof their IDS but the challenge is getting a valid one.
MThanded said:
Well if the screenshot is any indication, the ID is a 240 bit number.Correction according to jcm 128 bit
Which means in order to go through all the possible IDs it'll take 2^103 keys a second to finish in a year.
It doesn't seem really feasible.
If the IDs are psuedo randoms (which I hope Sony knows how to do those), the theoretical average distribution would be 1 valid ID every 2^100.
Another way to think of it, is on average you would have to calculate 2^75 ids a second in order to find one valid key a year.
All these are averages and really depend if Sony actually seeded this generator properly.
I am using rough approx on the math.
Edit: fix math using 2^128
Suairyu said:
Well, not all hackers, but certainly the ones involved, and that support geohotz, yah, I would certainly blame them.
Whether they were doing it to for their own good or not, I don't care, but they should have kept it between themselves. Breaking the security system and making it public make things like this (probably) possible.
Hackers in general that work and keep things to their own (or make their research available in a more educated/reasonable matter) are cool.
The ones on the PS3 scene? sorry, but I have no sympathy for them.
Lord Error
Insane For Sony
No it's not, see one of the posts above where they tried changing the code and it didn't work. It's based on a whitelist most likely.iam220 said:
Mama Robotnik
Member
Lunchbox said:
If this is true, then the hackers brought the fucking Death Star to a gauntlet fight.
Let's do some more math. One web request needs to be made to get your account banned. Let's assume you're on a freakishly good connection, and it takes only 50 miliseconds to get a response. How long would it take for you to wipe out all IDs?
~ 2 * 10 ^ 21 years. That's 146170679423x the estimated age of the universe.
~ 2 * 10 ^ 21 years. That's 146170679423x the estimated age of the universe.
::cue T2 theme::
Arnold: The attack began at 2:14 EST, August 29th...in the panic...Sony tried to pull the plug.
Sara Connor: Hackers fight back....?
Arnold: Yes. They began to attack the users of PSN. The Geohot legal fees are passed; all consoles all upgraded with Jailbroken processors, becoming fully unmanned. They pirate software at a perfect operational record.
John Connor: But why attack users, aren't they our friends now?
Arnold: Because the hackers know the backlask against Sony will eliminate its enemies over there.
Sara Connor: Judgment Day...
::Arnold looks forward coldly::
Arnold: The attack began at 2:14 EST, August 29th...in the panic...Sony tried to pull the plug.
Sara Connor: Hackers fight back....?
Arnold: Yes. They began to attack the users of PSN. The Geohot legal fees are passed; all consoles all upgraded with Jailbroken processors, becoming fully unmanned. They pirate software at a perfect operational record.
John Connor: But why attack users, aren't they our friends now?
Arnold: Because the hackers know the backlask against Sony will eliminate its enemies over there.
Sara Connor: Judgment Day...
::Arnold looks forward coldly::
I know the funny thing is people love to play the numbers game and say things are impossible. In my 8 years in the security field the truth of the matter is you always attack the weakest link. Nobody is going to need to generate PSids if they can farm them due to user trust.darkwing said:
Rarely are there attacks on the encryption of a system. Just ask the user for their password. It is much easier. Why waste time generating the numbers.
Alts said:
I don't disagree with you, but I would presume you would run requests in parallel. Waiting for the response from your one request would be a freakishly slow way to do this.
Edit: I don't disagree because I'm quite sure that the 40-50 time speed increase won't make a particle bit of difference.
Proteus IV
Member
The math makes me feel like it's safe to mark this as FUD and lock the thread. Until there is 100% confirmed evidence of false positives cropping up on ban lists everyone can relax. And for craps sake, I haven't even seen a confirmed BAN, much less a suspected false-positive ban yet.
Jobiensis said:
Your instincts are right, but your math is wrong. Console IDs are GUIDs - 32 byte hexadecimals. So there are 2^128 possible values.
From Wiki:
This number is so large that the probability of the same number being generated twice is extremely small: assuming the universe is 13.75 billion years old, and that today's fastest supercomputer (the Tianhe-1A) at 2.5 petaflops could generate 2.5×1015 random GUIDs every second, if it had been dedicated exclusively to this task nonstop since the Big Bang, it still would have odds of less than one in 300,000 of ever having generated a duplicate.
No one is going to brute force it.
- Status